Important info on Request Validation

Yosi Taguri writes:

we've moved our code into vs.net 2003

we noticed a problem when passing parameters to the server that contained xml code

we got "A potentially dangerous request......"

searching thru google came up with this:

http://www.asp.net/faq/RequestValidation.aspx

a neat explenataion to a new feature in 1.1..

u can disable it with :

<configuration>
  <system.web>
    <pages validateRequest="false" />
  </system.web>
</configuration>

in your web.config / machine.config

[Yosi Taguri]

It's very important to point out (for the benefit of those who don't follow the link), that you should NOT turn off request validation unless you have implemented your own input filtering/validation code. It can be very challenging to get this stuff right, which is likely part of why the request validation feature was added.

If you don't need to allow HTML tags or HTML-encoded input, just leave request validation turned on, and provide a handler for the exception it throws.

If you DO need to allow HTML input on a given page, turn off request validation at the page level using the validateRequest attribute of the @ Page directive, rather than turning it off at the machine or application level. That way, if you (or someone on your team) adds a page later than accepts input, that page will be automatically protected..

1 Comment

  • hi there,


    it's ok for html...


    but what if I want to let XML parameters flow to the server.


    although html is xml, there should be A DISTINCTION in the validator.





    I'd like to use this feature, if they put it then we should consider using it.

Comments have been disabled for this content.